Document security system that permits external users to gain access to secured files

ABSTRACT

A system includes a server with an access manager configured to restrict access to files of an organization and maintain at least encryption keys for internal and external users and an external access server connected to the server and coupled between the server and a data network. The data network is configured to allow the external users use of the external access server. The external access server is also configured to permit file exchange between the internal users and the external users via the server.

CROSS-REFERENCE TO RELATED APPLICATION

This is a Division of U.S. application Ser. No. 10/262,218, filed Sep.30, 2002, now allowed, which is hereby incorporated by reference in itsentirety for all purposes.

U.S. application Ser. No. 10/262,218 is related to U.S. patentapplication Ser. No. 10/075,194, filed Feb. 12, 2002, now U.S. Pat. No.8,065,713 issued on Nov. 22, 2011 and entitled “SYSTEM AND METHOD FORPROVIDING MULTI-LOCATION ACCESS MANAGEMENT TO SECURED ITEMS,” which ishereby incorporated by reference in its entirety for all purposes.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to security systems for data and, moreparticularly, to security systems that protect data in an inter/intraenterprise environment.

2. Description of Related Art

The Internet is the fastest growing telecommunications medium inhistory. This growth and the easy access it affords have significantlyenhanced the opportunity to use advanced information technology for boththe public and private sectors. It provides unprecedented opportunitiesfor interaction and data sharing among businesses and individuals.However, the advantages provided by the Internet come with asignificantly greater element of risk to the confidentiality andintegrity of information. The Internet is an open, public andinternational network of interconnected computers and electronicdevices. Without proper security measures, an unauthorized person ormachine may intercept any information traveling across the Internet, andmay even get access to proprietary information stored in computers thatinterconnect to the Internet, but are otherwise generally inaccessibleby the public.

As organizations become more dependent on networks for businesstransactions, data sharing, and everyday communications, their networkshave to be increasingly accessible to customers, employees, suppliers,partners, contractors and telecommuters. Unfortunately, as theaccessibility increases, so does the exposure of critical data that isstored on the network. Hackers can threaten all kinds of valuablecorporate information resources including intellectual property (e.g.,trade secrets, software code, and prerelease competitive data),sensitive employee information (e.g., payroll figures and HR records),and classified information (e.g., passwords, databases, customerrecords, product information, and financial data). Thus data security isbecoming increasingly mission-critical.

There are many efforts in progress aimed at protecting proprietaryinformation traveling across the Internet and controlling access tocomputers carrying the proprietary information. Every day hundreds ofthousands of people interact electronically, whether it is throughe-mail, e-commerce (business conducted over the Internet), ATM machinesor cellular phones. The perpetual increase of information transmittedelectronically has led to an increased reliance on cryptography.

In protecting the proprietary information traveling across the Internet,one or more cryptographic techniques are often used to secure a privatecommunication session between two communicating computers on theInternet. Cryptographic techniques provide a way to transmit informationacross an unsecure communication channel without disclosing the contentsof the information to anyone eavesdropping on the communication channel.An encryption process is a cryptographic technique whereby one party canprotect the contents of data in transit from access by an unauthorizedthird party, yet the intended party can read the data using acorresponding decryption process.

Many organizations have deployed firewalls, Virtual Private Networks(VPNs), and Intrusion Detection Systems (IDS) to provide protection.Unfortunately, these various security means have been proveninsufficient to reliably protect proprietary information residing ontheir internal networks. For example, depending on passwords to accesssensitive documents from within often causes security breaches when thepassword of a few characters long is leaked or detected.

Enterprise security solutions secure data within an enterprise premise(e.g., internal networks). Some enterprise security solutions prohibitexternal users (clients) to have any access to secure data.Unfortunately, such enterprise security solutions are not suitable foruse in a collaborative environment in which both regular internal users(e.g., employees) and external users (e.g., consultants) need to accesssome secured data of the enterprise.

Thus, there is a need for improved approaches to enable file securitysystems to permit external users to access secured data withoutcompromising the integrity of an enterprise security system.

SUMMARY OF THE INVENTION

The invention relates to an improved system and approaches forexchanging secured files (e.g., documents) between internal users of anorganization and external users. A file security system of theorganization operates to protect the files of the organization and thusprevents or limits external users from accessing internal documents.Although the external users are unaffiliated with the organization(i.e., not employees or contractors), the external users often haveworking relationships with internal users. These working relationships(also referred to herein as partner relationships) often present theneed for file (document) exchange. According to one aspect of theinvention, external users having working relationships with internalusers are able to be given limited user privileges within the filesecurity system, such that restricted file (document) exchange ispermitted between such internal and external users.

The invention can be implemented in numerous ways, including as amethod, system, device, and computer readable medium. Severalembodiments of the invention are discussed below.

An embodiment of the present invention provides a system that includes aserver including an access manager configured to restrict access tofiles of an organization and maintain at least encryption keys forinternal and external users and an external access server operativelyconnected to the server and coupled between the server and a datanetwork. The data network is configured to allow the external users useof the external access server. In addition, the external access serveris configured to permit file exchange between the internal users and theexternal users via the server.

Another embodiment of the present invention provides a method thatincludes restricting access to files in a server including an accessmanager that restricts access to files of an organization and maintainsat least encryption keys for internal and external users, permittingfile exchange between the internal users and the external users throughan external access server operatively connected to the server andcoupled between the server and a data network and using the data networkto allow the external users to interact with the external access server.

A further embodiment of the present invention provides acomputer-readable storage device having instructions stored thereon,execution of which, by a computing device, causes the computing deviceto perform operations including restricting access to files in a server,including an access manager that restricts access to files of anorganization and maintains at least encryption keys for internal andexternal users, permitting file exchange between the internal users andthe external users through an external access server operativelyconnected to the server and coupled between the server and a datanetwork and using the data network to allow the external users tointeract with the external access server.

Other objects, features, and advantages of the present invention willbecome apparent upon examining the following detailed description of anembodiment thereof, taken in conjunction with the attached drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be readily understood by the followingdetailed description in conjunction with the accompanying drawings,wherein like reference numerals designate like structural elements, andin which:

FIG. 1 is a block diagram of a document security system according to oneembodiment of the invention.

FIG. 2 is a flow diagram of relationship setup processing according toone embodiment of the invention.

FIG. 3 is a flow diagram of document delivery processing according toone embodiment of the invention.

FIG. 4 is a flow diagram of document access processing according to oneembodiment of the invention.

FIG. 5 is a flow diagram of access control processing according to oneembodiment of the invention.

FIG. 6 is a flow diagram of client-side document delivery processingaccording to one embodiment of the invention.

FIG. 7 is a flow diagram of server-side document delivery processingaccording to one embodiment of the invention.

FIG. 8 shows a basic security system in which the invention may bepracticed in accordance with one embodiment thereof.

FIG. 9 shows an exemplary data structure of a secured file that may beused in one embodiment of the invention.

DETAILED DESCRIPTION OF THE INVENTION

The invention relates to an improved system and approaches forexchanging secured files (e.g., documents) between internal users of anorganization and external users. A file security system of theorganization operates to protect the files of the organization and thusprevents or limits external users from accessing internal documents.Although the external users are unaffiliated with the organization(i.e., not employees or contractors), the external users often haveworking relationships with internal users. These working relationships(also referred to herein as partner relationships) often present theneed for file (document) exchange. According to one aspect of theinvention, external users having working relationships with internalusers are able to be given limited user privileges within the filesecurity system, such that restricted file (document) exchange ispermitted between such internal and external users. The invention issuitable for use in an enterprise file security system.

A file security system (or document security system) serves to limitaccess to files (documents) to authorized users. Often, an organization,such as a company, would use a file security system to limit access toits files (documents). For example, users of a group might be able toaccess files (documents) pertaining to the group, whereas other usersnot within the group would not be able to access such files (documents).Such access, when permitted, would allow a user of the group to retrievea copy of the file (document) via a data network.

As used herein, a user may mean a human user, a software agent, a groupof users, member of a group of users, a device and/or application.Besides a human user who needs to access a secured document, a softwareapplication or agent sometimes needs to access secured files in order toproceed. Accordingly, unless specifically stated, the “user” as usedherein does not necessarily pertain to a human being.

Secured files are files that require one or more keys, passwords, accessprivileges, etc. to gain access to their content. According to oneaspect of the invention, the security is provided through encryption andaccess rules. The files, for example, can pertain to documents,multimedia files, data, executable code, images and text. In general, asecured file can only be accessed by authenticated users withappropriate access rights or privileges. In one embodiment, each securedfile is provided with a header portion and a data portion, where theheader portion contains or points to security information. The securityinformation is used to determine whether access to associated dataportions of secured files is permitted.

In the following description, numerous specific details are set forth inorder to provide a thorough understanding of the present invention.However, it will become obvious to those skilled in the art that theinvention may be practiced without these specific details. Thedescription and representation herein are the common meanings used bythose experienced or skilled in the art to most effectively convey thesubstance of their work to others skilled in the art. In otherinstances, well-known methods, procedures, components, and circuitryhave not been described in detail to avoid unnecessarily obscuringaspects of the present invention.

Reference herein to “one embodiment” or “an embodiment” means that aparticular feature, structure, or characteristic described in connectionwith the embodiment can be included in at least one embodiment of theinvention. The appearances of the phrase “in one embodiment” in variousplaces in the specification are not necessarily all referring to thesame embodiment, nor are separate or alternative embodiments mutuallyexclusive of other embodiments. Further, the order of blocks in processflowcharts or diagrams representing one or more embodiments of theinvention do not inherently indicate any particular order nor imply anylimitations in the invention.

Embodiments of the present invention are discussed herein with referenceto FIGS. 1-9. However, those skilled in the art will readily appreciatethat the detailed description given herein with respect to these figuresis for explanatory purposes as the invention extends beyond theselimited embodiments.

FIG. 1 is a block diagram of a document security system 100 according toone embodiment of the invention. The document security system 100 isresponsible for providing protection of electronic data in anorganization and includes a central server 102 that controls the overalloperation of the document security system 100. The central server 102imposes restrictions on the access to secured documents that are storedcentrally or locally.

The central server 102 is assisted by a key store 104. Among otherthings, the key store 104 can store key pairs (public and private keys).In one embodiment, the key store 104 can be implemented in a databasethat stores key pairs (among other things). The central server 102 isalso assisted by local servers 106 and 108 that can provide distributedaccess control. Various internal users to an organization that areutilizing the document security system 100 interact with the centralserver 102 and/or one of the local servers 106 and 108. These internalusers are represented by users 110-116. As illustrated in the embodimentshown in FIG. 1, user I-A 110 and user I-B 112 are affiliated with thelocal server 106, and user I-C 114 and user I-D 116 are affiliated withthe local server 108. It should be understood, however, that variousother arrangements or configurations of local servers and users can beutilized.

The document security system 100 also facilitates access by externalusers to secured documents that are maintained by the document securitysystem 100. In this regard, the document security system 100 includes anexternal access server 118. The external access server 118 allowsexternal users to be granted access to some of the secured documents.More particularly, the external access server 118 is coupled between aprivate network 121 in the document security system 100 and a (public)data network 120 and thus facilitates the access from external users122-128 to some of the secured files without compromising the securityintegrity of the document security system 100. The data network 120 is,for example, a global computer network, a wide area network or a localarea network. However, since the external users 122-128 are not directlyaffiliated with the organization, the external users are therefore oftengiven limited access rights to some of the secured documents frommachines coupled to the data network 120. Although the document securitysystem 100 shown in FIG. 1 illustrates multiple local servers 106 and108, multiple internal users 110-116, multiple external users 122-128,it should be recognized that the document security system 100 can, moregenerally, utilize zero or more local servers, one or more internalusers, and one or more external users.

According to one embodiment of the invention, external users arepermitted to be members of user groups maintained by the central server102. As such, the external users are able to exchange certain secureddocuments with internal users. In one embodiment, the exchange of thesecured documents between internal and external users is limited toexchanges between members of a common user group. Despite documentexchange capabilities, the external users are unable to perform variousoperations with respect to user groups that internal users would be ableto perform. For example, external users would be unable to change groupmembership or to query group membership to determine who are the membersof the user group. Typically, an external user would be added to aparticular user group when a relationship between the organization andthe external user is arranged. The exchange of documents betweeninternal users and external users is secured using public keyencryption. The document security system 100 manages the storage andaccessibility of public and private keys for the internal and externalusers. The document security system 100 can advantageously minimize theclient software needed at the machines utilized by the external users.

The invention facilitates exchange of files (e.g., documents) betweeninternal users of an organization and external users. Although theexternal users are unaffiliated with the organization (i.e., notemployees or contractors), the external users often have workingrelationships with internal users. These working relationships (alsoreferred to herein as partner relationships) often present the need forfile (document) exchange. A file security system (e.g., documentsecurity system 100) of the organization operates to protect the filesof the organization and thus prevents or limits external users fromaccessing internal documents. According to the invention, external usershaving working relationships with internal users are able to be givenlimited user privileges within a file security system such thatrestricted file (document) exchange is permitted between such internaland external users.

FIG. 2 is a flow diagram of relationship setup processing 200 accordingto one embodiment of the invention. The relationship setup processing200 operates to arrange or set up a partner relationship between apartner and an organization (e.g., company). The organization istypically represented by an internal user or a group of users, and thepartner is typically represented by one or more external users.

The relationship setup processing 200 initially establishes 202 apartner relationship between a partner and an organization. In thiscontext, the organization is deemed to protect various documents of theorganization and its various internal users. In one embodiment, theorganization uses a file (document) security system to protect thevarious documents. The partner is deemed external to the organization.However, the partner is desirous of exchanging documents with theorganization. The partner relationship between the partner and theorganization (or between respective members thereof) is such thatdocument exchange is permitted so that mutual business objectives can beefficiently achieved. After the partner relationship has beenestablished 202, key pairs are created 204. The key pairs are used indocument exchanges between the partner and the organization (e.g.,between respective individuals thereof). For example, each of thepartner and the organization would have a public key for encryption, aswell as a private key for decryption. For example, to release a documentfrom the organization to the partner, the organization would secure(e.g., encrypt) the document using the public key of the partner andthen, upon acquiring the secured document, the partner would unsecure(e.g., decrypt) the secured document using its private key. Similarly,when the partner releases a document to the organization, the partnercan secure (e.g., encrypt) the document using the public key of theorganization and then, upon acquiring the secured document, theorganization can unsecure (e.g., decrypt) the document using its privatekey. After the key pairs are created 204, the key pairs can be stored206 to a key store. In one embodiment, the key store is within the filesecurity system. System rights for the partner can then be configured208. The system rights can be configured to permit limited accessprivileges to the partner. For example, the partner can be configured toinclude one or more of its employees within a user group maintained forthe organization. After the system rights have been configured 208, therelationship setup processing 200 ends.

According to one embodiment, a partner relationship between anorganization and a partner can confer on the partner: (i) query rights,and (ii) rights to get public keys of the organization. For examplequery right might include the right to get members of a group used bythe file security system. However, having the right to get public keysof the organization does not give access to secured documents of theorganization.

FIG. 3 is a flow diagram of document delivery processing 300 accordingto one embodiment of the invention. The document delivery processing 300serves to deliver a secured document from an internal user to anexternal user. The internal user is associated with an organization, andthe external user is associated with the partner.

The document delivery processing 300 begins with a decision 302 thatdetermines whether a request to release a document to an external userhas been received. In one embodiment, the request to release a documentto an external user is initiated by an internal user. When the decision302 determines that a request to release a document to an external userhas not yet been received, the document delivery processing 300 awaitssuch a request. In other words, the document delivery processing 300 canbe considered to be invoked when a request to release a document to anexternal user is received.

After a request to release a document to an external user has beenreceived, a public key associated with the external user is retrieved304 from a key store. In general, the key store serves to store aplurality of keys utilized by a document security system of theorganization. In one embodiment, the key store can be the key store 104illustrated in FIG. 1. Next, a decision 306 determines whether a publickey associated with the external user was available from the key store.In one embodiment, the availability of the public key is controlled bythe partner relationship. When the decision 306 determines that the keystore does not have a public key associated with the external user, thenthe document is not permitted to be delivered to the external user andthus the request is denied 308. Here, the particular external user isdeemed not authorized to exchange documents with either the organizationin general, or an internal user in particular.

On the other hand, when the decision 306 determines that a public keyassociated with the external user is available from the key store, thenat least a portion of security information for the secured document isencrypted 310 using the public key. In one embodiment, the secureddocument that is to be delivered to the external user has a securityinformation portion (also known as a header portion) and a data portion.The security information portion includes the security informationproviding restrictive access to the secured document. The securityinformation may include access control components, such as keys oraccess rules that are utilized to control access to the data portion ofthe secured document. When the decision 306 determines that a public keyis available, then at least a part of the security information portionfor the secured document is encrypted 310 using the public key. Then,access control restrictions can be imposed 312 on the external user. Theaccess control restrictions can limit the type, character or extent ofaccess that the external user is granted with respect to the secureddocument. For example, the access control restrictions can be imposed byproviding access rules within the security information portion of thesecured document. After the access control restrictions are imposed 312and encryption 310 with the public key, the secured document is released314 to the external user. In one embodiment, the secured document isreleased 314 by being transmitted. Typically, the transmission of thesecured document to the external user is performed through one or morenetworks (e.g., data networks). After the secured document has beenreleased 314 to the external user (or after operation 308 when therequest to deliver the secured document to the external user is denied),the document delivery processing 300 is complete and ends.

FIG. 4 is a flow diagram of document access processing 400 according toone embodiment of the invention. The document access processing 400involves an external user accessing a secured document that has beenmade available to the external user by an internal user.

The document access processing 400 begins with the external user actingto login 402 to an external access server. The external access server isassociated with the document security system and utilized to permitlimited external access to the document security system. As an example,the external access server can be the external access server 118illustrated in FIG. 1.

A decision 404 then determines whether the login 402 has beensuccessful. When the decision 404 determines that login has not beensuccessful, then access is denied 406 to the external access server andno secured documents are made available to external users. Following theoperation 406, the document access processing 400 is complete and endsas the external user was unable to successfully log into the externalaccess server.

On the other hand, when the decision 404 determines that the externaluser has successfully logged into the external access server, then aprivate key associated with the external user is retrieved 408. In oneembodiment, the private key is downloaded from the document securitysystem via the external access server. In another embodiment, theprivate key is recovered locally.

Next, a decision 410 determines whether an access request for anencrypted document has been received. When the decision 410 determinesthat an access request for the secured document has not yet beenreceived, a decision 412 determines whether the document accessprocessing 400 should end. When the decision 412 determines that thedocument access processing 400 should not end, then the document accessprocessing 400 returns to repeat the decision 410 and subsequentoperations. On the other hand, when the decision 412 determines that thedocument access processing 400 should end, then the document accessprocessing 400 is complete and ends.

Alternatively, when the decision 410 determines that an access requestfor the secured document has been received, then at least a portion ofthe security information for the secured document is decrypted 414 usingthe private key. Next, document level security is evaluated 416 topermit or deny access to the document contents. Following the operation416, the document access processing 400 is complete and ends.

FIG. 5 is a flow diagram of access control processing 500 according toone embodiment of the invention. The access control processing 500 is,for example, suitable for use as the operations carried out by theoperation 416 illustrated in FIG. 4.

The access control processing 500 initially obtains 502 access rulesassociated with the secured document. In one embodiment, the accessrules are provided within the security information portion of thesecured document. The access rules are then evaluated 504 against theaccess privilege of the user attempting to access the secured document.A decision 506 then determines whether the access rules are satisfied.When the decision 506 determines that the access rules are notsatisfied, then access to the secured document is denied. Alternatively,when the decision 506 determines that the access rules are satisfied,then a file key associated with the secured document is obtained 510. Inone embodiment, the file key is provided within the security informationportion of the secured document. The file key can be encrypted or in aclear format. In the case in which the file key is itself encrypted, thefile key is first decrypted. Next, the secured document is decrypted 512using the file key. Following the operation 512, the access controlprocessing 500 is complete and ends.

FIGS. 6 and 7 pertain to document delivery processing in which anexternal user provides a secured document to an internal user. FIG. 6 isa flow diagram of client-side document delivery processing 600 accordingto one embodiment of the invention. The client-side document deliveryprocessing 600 is referred to as client-side because a client machineassociated with the external user is performing or initiating theoperations.

The client-side document delivery processing 600 begins with a decision602 that determines whether a request (from an external user) to releasea document to an internal user has been received. When the decision 602determines that a request to release a document to an internal user hasnot yet been received, the client-side document delivery processing 600awaits such a request. Once the decision 602 determines that a requestto release a document to an internal user has been received, theclient-side document delivery processing 600 continues. In other words,the client-side document delivery processing 600 can be considered to beinvoked when the decision 602 determines that a request to release adocument to an internal user has been received. The external user caninteract with the client machine to initiate or make such a request.

After the decision 602 determines that a request to release a documentto an internal user has been received, a public key associated with theinternal user is requested 604. Here, according to one embodiment, thepublic key associated with the internal user is requested 604 from thedocument security system. A decision 606 then determines whether aresponse has been received. When the decision 606 determines that aresponse has not yet been received, the client-side document deliveryprocessing 600 awaits such a response. When the decision 606 determinesthat a response has been received, a decision 608 first determineswhether the request is from an external user who is what they claim tobe. According to one embodiment, certificates are used prevent someonefrom impersonating someone else. Depending on implementation, acertification of the external user may be issued by a third party (e.g.,Certificate Authority) or the document security system itself. When thedecision 608 determines that the external user is not who they claim tobe, then the request is denied 610 because the response received waspresumably from an unauthorized user or system.

On the other hand, when the decision 608 determines that the externaluser is who they claim to be (i.e., an authorized user), a decision 612determines whether a public key is available. Here, the responsereceived is examined to determine whether the response includes thepublic key associated with the internal user. Hence, when the public keyis available, it is provided with the response being received. In oneembodiment, the availability of the public key is controlled by thepartner relationship.

When the decision 612 determines that the public key is not available,then the request is denied 610 because the client machine does not haveaccess to the public key associated with the internal user. On the otherhand, when the decision 612 determines that the public key is available,then at least a portion of the security information for the secureddocument is encrypted 614 using the public key. In one embodiment, afile key within the security information for the secured document isencrypted using the public key. Thereafter, the secured document isreleased 616 to the internal user. In one embodiment, the secureddocument is released 616 by being transmitted. Following the operations610 or 616, the client-side document delivery processing 600 is completeand ends.

FIG. 7 is a flow diagram of server-side document delivery processing 700according to one embodiment of the invention. The server-side documentdelivery processing 700 is, for example, performed by the documentsecurity system, such as the document security system 100 illustrated inFIG. 1. The server-side document delivery processing 700 is responsiveto a public key request from the client-side document deliveryprocessing 600.

The server-side document delivery processing 700 begins with a decision702 that determines whether a request for a public key from an externaluser has been received. In one embodiment, the request is provided bythe operation 604 of the client-side document delivery processing 600illustrated in FIG. 6. When the decision 702 determines that a requestfor a public key has not yet been received, then the server-sidedocument delivery processing 700 awaits such a request. When thedecision 702 determines that a request for a public key has beenreceived, then a decision 704 determines whether the external user(requestor) is authorized to obtain the public key. Here, theauthorization can be determined based on whether a partner relationshiphas been previously established between the external user and anorganization. When the decision 704 determines that the external user isnot authorized to receive the public key, then a response is prepared710 indicating that access has been denied.

On the other hand, when the decision 704 determines that the externaluser is authorized to obtain the public key, then the public keyassociated with the internal user is retrieved 706 from a key store. Thekey store can, for example, be implemented as a database provided withinthe document security system. After the public key associated with theinternal user has been retrieved 706, a response including the publickey can be prepared 708. After the response has been prepared inoperations 708 or 710, the response is signed 712 with a certificate forthe organization. In one embodiment, the certificate would have beenpreviously embedded a priori in the machine (e.g., client machine) ofthe external user. The signed response is then transmitted 714 to theexternal user. Typically, the transmission of the signed response issent to the external user over a secured channel through a network (datanetwork, e.g., the Internet). Following the operation 714, theserver-side document delivery processing 700 is complete and ends.

FIG. 8 shows a basic security system 800 in which the invention may bepracticed in accordance with one embodiment thereof. The security system800 may be employed in an enterprise or inter-enterprise environment. Itincludes a first server 808 (also referred to as a central server)providing centralized access management for the enterprise. The firstserver 808 can control restrictive access to files secured by thesecurity system 800. To provide dependability, reliability andscalability of the system, one or more second servers 804 (also referredto as local servers, of which one is shown) may be employed to providebackup or distributed access management for users or client machinesserviced locally. For illustration purposes, there are two clientmachines 801 and 802 being serviced by a local server 804.Alternatively, one of the client machines 801 and 802 may be consideredas a networked storage device.

Secured files may be stored in either one of the devices 801, 802, 804,806 and 812. When a user of the client machine 801 attempts to exchangea secured file with a remote destination 812 being used by an externaluser, one or more of the processing 200, 300, 400, 500, 600 and 700discussed above are activated to ensure that the requested secured fileis delivered without compromising the security imposed on the securedfile.

FIG. 9 shows an exemplary data structure 920 of a secured file that maybe used in one embodiment of the invention. The data structure 920includes two portions: a header (or header portion) 922 and encrypteddata (or an encrypted data portion) 924. The header 922 can be generatedin accordance with a security template associated with the store andthus provides restrictive access to the data portion 924 which is anencrypted version of a plain file. Optionally, the data structure 920may also include an error-checking portion 925 that stores one or moreerror-checking codes, for example, a separate error-checking code foreach block of encrypted data 924. These error-checking codes may also beassociated with a Cyclical Redundancy Check (CRC) for the header 922and/or the encrypted data 924. The header 922 includes a flag bit orsignature 927 and security information 926 that is in accordance withthe security template for the store. According to one embodiment, thesecurity information 926 is encrypted and can be decrypted with a userkey associated with an authenticated user (or requestor).

The security information 926 can vary depending upon implementation.However, as shown in FIG. 9, the security information 926 includes auser identifier (ID) 928, access policy (access rules) 929, a file key930 and other information 931. Although multiple user identifiers may beused, a user identifier 928 is used to identify a user or a group thatis permitted to access the secured file. The access rules 929 providerestrictive access to the encrypted data portion 924. The file key 930is a cipher key that, once obtained, can be used to decrypt theencrypted data portion 924 and thus, in general, is protected. In oneimplementation of the data structure 920, the file key 930 is encryptedin conjunction with the access rules 929. In another implementation ofthe data structure 920, the file key 930 is double encrypted with aprotection key and further protected by the access rules 929. The otherinformation 931 is an additional space for other information to bestored within the security information 926. For example, the otherinformation 931 may be used to include other information facilitatingsecure access to the secured file, such as version number or authoridentifier.

The invention is preferably implemented by software or a combination ofhardware and software, but can also be implemented in hardware. Theinvention can also be embodied as computer readable code on a computerreadable medium. The computer readable medium is any data storage devicethat can store data which can thereafter be read by a computer system.Examples of the computer readable medium include read-only memory,random-access memory, CD-ROMs, DVDs, magnetic tape, optical data storagedevices, and carrier waves. The computer readable medium can also bedistributed over network-coupled computer systems so that the computerreadable code is stored and executed in a distributed fashion.

The various embodiments, implementations and features of the inventionnoted above can be combined in various ways or used separately. Thoseskilled in the art will understand from the description that theinvention can be equally applied to or used in other various differentsettings with respect to various combinations, embodiments,implementations or features provided in the description herein.

The advantages of the invention are numerous. Different embodiments orimplementations may yield one or more of the following advantages. Oneadvantage of the invention is that file security systems are able toprotect secured files (e.g., documents) even when external users areprovided limited access to secured files. Another advantage of theinvention is that a file security system can permit external users toaccess certain secured files (e.g., secured documents) withoutcompromising integrity of the file security system. For example,external users having working relationships with internal users are ableto be given limited user privileges within the file security system suchthat restricted file (document) exchange is permitted between suchinternal and external users. Still another advantage of the invention isthat that amount of specialized software required at machines utilizedby external users is minimal.

The foregoing description of embodiments is illustrative of variousaspects/embodiments of the present invention. Various modifications tothe present invention can be made to the preferred embodiments by thoseskilled in the art without departing from the true spirit and scope ofthe invention as defined by the appended claims. Accordingly, the scopeof the present invention is defined by the appended claims rather thanthe foregoing description of embodiments.

What is claimed is:
 1. A system comprising: a server comprising anaccess manager configured to: restrict access to a file of anorganization having an internal user responsive to a request for thefile, the file comprising a header portion including an access rule thatrestricts access to the file, and a content portion encrypted by a filekey; and determine whether a partner relationship exists between theorganization and an external partner; a database coupled to the serverand configured to store an encryption key for use between the internaluser and an the external partner comprising an external user, whereinthe access manager is further configured to encrypt the file key,located within security information of the header portion of the file,with the encryption key in response to a determining that the partnerrelationship existing exists between the organization and the externalpartner and deny the request in response to determining that the partnerrelationship does not existing exist; and an external access serveroperatively connected to the server and coupled between the server and adata network, the data network configured to allow the external user useof the external access server, wherein the external access server isconfigured to permit file exchange between the internal user and theexternal user via the server.
 2. The system of claim 1, wherein fileexchange by between the internal and external users is permitted inresponse to the internal and external users being members of a commongroup.
 3. The system of claim 1, wherein the encryption key comprises apublic-private key pair, and wherein the access manager is configured toencrypt the security information with the public key.
 4. The system ofclaim 1, wherein the server further comprises: a central server; and alocal server operatively connected to the central server.
 5. The systemof claim 1, wherein the data network includes at least a part of anInternet.
 6. The system of claim 1, wherein the external user isunaffiliated with the organization comprising the internal user.
 7. Thesystem of claim 1, wherein: the external user and the internal user aremembers of a common group; and the external user is unable to changegroup membership and is unable to query group membership to determinemembers of the common group.
 8. A method comprising: maintaining, in adatabase, an encryption key for use between an organization comprisingan internal user and an external partner comprising an external user;receiving, by a server coupled to the database, a request to access afile, the file comprising a header portion including an access rule thatrestricts access to the filer and a content portion encrypted by a filekey; determining whether a partner relationship exists between theorganization and the external partner; encrypting the file key, locatedwithin security information of the header portion, with the encryptionkey in response to a determining that the partner relationship existingexists between the organization and the external partner; and denyingthe request in response to determining that the partner relationshipdoes not existing exist.
 9. The method of claim 8, further comprisingpermitting file exchange between the internal user and the external userthrough an external access server in response to the internal user andthe external user being members of a common group.
 10. The method ofclaim 8, further comprising using a public-private key pair as theencryption key.
 11. The method of claim 10, further comprising:encrypting the security information file key with the public key. 12.The method of claim 8, further comprising: communicating, in response tothe security information file key being encrypted, the requested filevia a data network.
 13. The method of claim 8, wherein the external useris unaffiliated with the organization comprising the internal user. 14.The method of claim 13, further comprising: blocking the external userfrom changing group membership and querying group membership todetermine members of a common group, the common group comprising theinternal user and the external user.
 15. A computer-readable storagedevice having instructions stored thereon, execution of which, by acomputing device associated with an organization, causes the computingdevice to perform operations comprising: maintaining an encryption keyfor use between the organization comprising an internal user and anexternal partner comprising an external user; receiving a request toaccess a file at the computing device, the file comprising a headerportion including an access rule that restricts access to the file and acontent portion encrypted by a file key; determining whether a partnerrelationship exists between the organization and the external partner;encrypting the file key, located within security information of theheader portion, with the encryption key in response to a determiningthat the partner relationship existing exists between the organizationand the external partner; and denying the request in response todetermining that the partner relationship does not existing exist. 16.The computer-readable storage device of claim 15, the operations furthercomprising permitting file exchange between the internal user and theexternal user through an external access server in response to theinternal user and the external user being members of a common group. 17.The computer-readable storage device of claim 15, further comprisingusing a public-private key pair as the encryption key.
 18. Thecomputer-readable storage device of claim 17, the operations furthercomprising: encrypting the security information file key with the publickey.
 19. The computer-readable storage device of claim 15, theoperations further comprising: communicating, in response to thesecurity information file key being encrypted, the requested file via adata network.
 20. The computer-readable storage device of claim 15,wherein the external user is unaffiliated with the organizationcomprising the internal user.
 21. A system comprising: a servercomprising an access manager configured to restrict access to a file ofan organization responsive to a request for the file, the filecomprising a header portion including an access rule that restrictsaccess to the file, and a content portion encrypted by a file key; adatabase coupled to the server and configured to store an encryption keyassociated with an external user, wherein the access manager is furtherconfigured to encrypt the file key, located within security informationof the header portion of the file, with the encryption key in responseto determining that the encryption key associated with the external useris available and deny the request in response to the encryption key notexisting; and an external access server operatively connected to theserver and coupled between the server and a data network, the datanetwork configured to allow the external user use of the external accessserver, wherein the external access server is configured to transmit thefile to the external user via the data network.
 22. The system of claim21, wherein the encryption key comprises a public-private key pair, andwherein the access manager is configured to encrypt the securityinformation with the public key.
 23. The system of claim 21, wherein theserver further comprises: a central server; and a local serveroperatively connected to the central server.
 24. The system of claim 21,wherein the data network includes at least a part of an Internet. 25.The system of claim 21, wherein the external user is unaffiliated withthe organization.
 26. The system of claim 21, wherein the external useris in a partner relationship with an internal user of the organization.27. The system of claim 21, wherein the access manager is furtherconfigured to: decrypt the header portion of the file using theencryption key associated with the external user; and evaluate theaccess rule against an access privilege of the external user todetermine whether to permit access to the file.